Trying to create Follina detection rules
123 views
Skip to first unread message
María A
Jun 10, 2022, 12:43:36 PM6/10/22
to Wazuh mailing list
Hello team,
This is data.win.eventdata.commandLine value: \"C:\\Windows\\system32\\msdt.exe\" ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'Y2FsYw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"
Thank you for your help!
I am trying to create rules to detect Follina. I am using John Hammond POC.
I have created two rules that works fine at the moment:
<rule id="102101" level="10">
<if_matched_sid>101101</if_matched_sid>
<field name="win.eventdata.originalFileName">^msdt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - msdt.exe Detected</description>
<group>sysmon_event1,suspicious_follina</group>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
<rule id="121101" level="12">
<if_sid>102101</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(data.win.eventdata.description) - Office MSDT Parent detected </description>
<group>sysmon_event1,suspicious_follina</group>
</rule>
<if_matched_sid>101101</if_matched_sid>
<field name="win.eventdata.originalFileName">^msdt.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - msdt.exe Detected</description>
<group>sysmon_event1,suspicious_follina</group>
<options>no_full_log</options>
<group>sysmon_event1,</group>
</rule>
<rule id="121101" level="12">
<if_sid>102101</if_sid>
<field name="win.eventdata.parentImage">winword.exe$|excel.exe$|powerpnt.exe$</field>
<description>Sysmon - Event 1: Process $(data.win.eventdata.description) - Office MSDT Parent detected </description>
<group>sysmon_event1,suspicious_follina</group>
</rule>
My question is how can I include in rule number 121101 something like the following <field> to check also for these fields in commandLine, because two <field> tags in the same rule is not working:
<field name="win.eventdata.commandLine">^sdiagnhost.exe$|^csc.exe$|^IT_RebrowseForFile$|^IT_BrowseForFile$</field>
This is data.win.eventdata.commandLine value: \"C:\\Windows\\system32\\msdt.exe\" ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'Y2FsYw=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"
Thank you for your help!
Emiliano Zorn
Jun 10, 2022, 3:34:30 PM6/10/22
to Wazuh mailing list
Hello Maria!
For this, you can create a Sibling decoder for rule 121101, and add your new field name there.
Sibling Decoders can be considered a
decoder building strategy that can be of great help for those looking
into building their own custom decoders. As different logs come with
different needs and sometimes extracting all the information can be
challenging, especially when dealing with dynamically structured logs.
The main purpose is to provide tools capable of decoding as much
information as possible in the easiest way possible.
Let me know if that help you.
Regards.
Reply all
Reply to author
Forward
0 new messages